Chronosphere Onboarding Guide

Forward logs directly to Panther using Chronosphere Telemetry Pipeline

Overview

Chronosphere Telemetry Pipeline is a flexible telemetry pipeline that can stream logs from a variety of sources to an HTTP Source in Panther.

While this guide only explains how to configure Chronosphere Telemetry Pipeline with a Panther HTTP Source, it is also possible to stream logs to an S3 Source in Panther. If you would like to stream logs to an S3 Source, use the Amazon S3 destination plugin in Chronosphere Telemetry Pipeline.

How to route logs to Panther using Chronosphere Telemetry Pipeline

Prerequisite

Ensure you have followed the Chronosphere Telemetry Pipeline installation documentation, which includes creating a Core Instance. Chronosphere Telemetry Pipeline can run on Linux and Kubernetes environments.

Step 1 (Optional): Decide where to filter and/or transform logs

If your raw logs need to be filtered out or transformed in some way, those actions can happen in Chronosphere or Panther.

In the Chronosphere Telemetry Pipeline web interface, you can filter or transform logs by:

Using a parser
Defining processing rules

If you'd like to use these tools in Chronosphere, you will configure them in Step 3, below.

In Panther, you can filter or transform logs by:

Using ingestion filters
Using a parser in the associated log schema
Using transformations in the associated log schema

If you'd like to use a parser or transformations in Panther, create a custom log schema now. If you'd like to use ingestion filters in Panther, you'll configure them in Step 2, below.

Step 2: Create an HTTP source in Panther

Follow Panther's instructions for configuring an HTTP Source.
- For the authentication method, select Shared secret.
- If you created a schema in Panther in Step 1, attach it to the source. If you haven't created a schema yet, you can infer one after data has been received.
If you'd like to use ingestion filters, follow one of the instructions sets below:
- How to create a raw event filter
- How to create a normalized event filter

Step 3: Configure Chronosphere Telemetry Pipeline to forward to the HTTP endpoint

In the Chronosphere Telemetry Pipeline web interface, navigate to your Core Instance.
Under Kubernetes Namespaces, click Create a custom pipeline.
Click + Source to add a source.
1. In the Add or Edit Source slide-out panel, select a source tile.
2. Configure the source as desired, then click Save.
Click + Destination to add an HTTP destination plugin.
1. On the Add or Edit Destination slide-out panel, under Network Based, click HTTP.
2. Under General, set the following fields:
  1. Host: Enter the HTTP Source URL you generated in Panther in Step 2.
  2. Port: Enter 443.
  3. URI: Enter the end of the HTTP Source URL you generated in Panther in Step 2, starting with /http/.
    Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a
3. Under Advanced, add a Key/Value pair under Headers.
  - Key: Enter the Shared Secret key you entered in Panther in Step 2.
  - Value: Enter the Shared Secret value you generated or entered in Panther in Step 2.
4. Under Security and TLS, click the TLS checkbox and set TLS Certificate Validation to on.
5. Click Save.
(Optional) Add processing rules to your pipeline by following the Chronosphere Add processing rules to your pipeline documentation.
Click Save and deploy.
Configure your log sources to route to the endpoint or port defined by the pipeline’s source(s).

PreviousData Pipeline Tools NextCribl Onboarding Guide

Last updated 13 days ago